Solved

Visual Studio Update 4 broke IIS Express' ability to request client certificates

Posted on 2014-04-22
43
1,392 Views
Last Modified: 2014-05-27
I had my IIS Express configured as specified on this page http://jasonrshaver.com/?tag=/Client+Certificates .  This allowed me to run my application in SSL for the 11 months from June 2013 all the way up to 9:50 AM EST this morning April 22, 2014.  At 9:54 AM EST we ran Visual Studio 2012 Update 4.  At 11:00 AM EST I opened my web application and ran a debug.  At no point did IE or IIS Express request a client Certificate.  The application runs an authentication process which evaluates the server variables and headers to get the Subject value from the client certificate.  But there was no Client certificate requested, so there was no Cert_Subject server variable, so the application failed before it could even get to the part I was coding.  

All of the settings in both applicationhost.config files are as directed on the web site.  This was not happening before VS 2012 Update 4 was run.  This started happening immediately after VS 2012 Update 4 was installed.  So there is a one to one correlation between these symptoms and the VS 2012 Update 4.  What did Update 4 do to my IIS Express.  How can I fix it.

I had a similar issue on another machine as note on this thread http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_28372649.html  "Set up of IIS Express to accept Client Certificates working fine until moved to a new machine."  However, I went and looked at that machine and sure enough it is using Update 4 of Visual Studio 2012.  So it is obviously something in VS 2012 Update 4 that negatively impacted IIS Express.
0
Comment
Question by:Edward Joell
  • 24
  • 12
43 Comments
 

Author Comment

by:Edward Joell
ID: 40019850
In an effort to get back to my status before I stupidly applied Update 4 I did the following:

•I did an uninstall of VS Pro 2012 Update 4.  However this resulted in the incapacity of VS 2012 to open any project.  They were all reported as "incompatible"
•I did a repair of VS Pro 2012.   Same situation.
•I installed Update 3 of Visaul Studio Pro 2012.  Same situation.
•I did an additional repair of VS Pro 2012.  This time project were able to open.
•Ran MVC SSL project.  Certificates not requested which causes project to fail because no certificates were supplied.
•Ran Web Forms SSL project. Cerfitcates not requested which again causes project to fail because no certificates were supplied.
•Tried to create new web forms project.  Attempt fails with error message below.

Error: this template attempted to load component assembly 'NuGet.VisualStudio.Interop, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'.  For more information on this problem and how to enable this template see documentation on Customizing Project Templates.

Again I checked both the applicationhost.config in my profile and the one under Program Files\IIS Express\AppServer
Neither of them had been changed.

I am thinking my next step is to totally uninstall VS 2012 and IIS Express, and do the reinstall from the disk and then apply Update 3.
0
 

Author Comment

by:Edward Joell
ID: 40027463
Uninstalled IIS Express.  Uninstalled Visual Studio 2012.  Installed VS 2012 rtmrel from disk, which included IIS express.  Deleted old applicationhost.config files.  Generated new Web Forms project.  Opened fine.  Open new applicationhost.config file.  Made the changes below:


            <!-- If the user is using SSL and has a client certificate, use it -->
          <access sslFlags="SslNegotiateCert" />
AND
                <iisClientCertificateMappingAuthentication enabled="true">
                </iisClientCertificateMappingAuthentication>
Changed the new web forms project to use SSL and to use the https://localhost:43300/  URL.  ran project. Did not ask for client certs.  Ran project in SSL whose only purpose is to read
all of server variables.  No certifcate information passed.
0
 

Author Comment

by:Edward Joell
ID: 40059223
This is already the second question concerning this issue.  I have yet to get an answer from any of the experts, despite admistrative assistance.
0
 

Author Comment

by:Edward Joell
ID: 40061690
I will do it like that.  The reason I stated it as I did was because I felt sure this must have happened to someone else before when they installed Update 4.

How about the follwoing as a title
"How to undo changes to IIS Express caused by VS 2012 Update 4"

or
"Need to restore IIS Express' ability to request client certificates."
0
 

Author Comment

by:Edward Joell
ID: 40063137
Based on all of my reading, (and I've read seemingly everything that is out there),  I've done everything required to get IIS Express to read client certs.  By all their reports it should be working now.  So I don't want to get a bunch of answers telling me to do the things I've already done, and then cause an expert with the real answer to shy away due to all of the activity on the question.

So i will go with one of those generic titles that mentioned above.  Thank you for your help and advice.
(p.s. I will leave this question open in case someone even at this late date runs across it, or is having the same issue.)
0
 

Author Comment

by:Edward Joell
ID: 40065413
Thanks.very very much.  I will leave this question open for a couple of days before carrying out the re-do mentioned above.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40065435
I see a lot of posts about this question, but I fail to see anything sent to Microsoft to suggest that this might be a breaking change in 2012 Update 4.  My suggestion would be to report this as a bug.

If you have already reported the problem as a bug, and I failed to recognize that fact, this is a very detailed problem that might be because of a small change to a configuration file, such as the applicationhost.config.

I only use IIS Express with a very small number of web sites, most of which are legacy ASP.NET 2.0 web sites.  I usually use IIS with Windows 2008 Server R2.  Was there a specific reason to use IIS Express?  Do you have this issue with the full IIS version?

How are you debugging this issue?  This information will help understand your problem space, and maybe get a glimpse into your environment.
0
 

Author Comment

by:Edward Joell
ID: 40067124
@Bob_Learned
You've seen other posts from other people? Did they ever manage to fix the issue?  We called Microsoft Support to open a support case on Monday 5/12/2014.  The person who took the call stated I need to check something with someone I will call you back in a couple of minutes.  Three days later he has still not called back.  I have not reported it as a bug because I don't know that it is.  It  may be that this behavior was by intent.   In which case I would really like to undo it.  As seen above I already uninstalled first Update 4 and then the whole of VS 2012 and IIS Express, and resinstalled from the rtmrel.  But this did not fix it.

My Development Environment:  I am developing on Windows 7.  The Navy does not permit the installation of regular IIS on its workstations.  They made some changes that prevent the attempt to install it from successfully completing.   The reason for using IIS Express rather than the Visual Studio Development server is to run in SSL and read the client certificates from whatever CAC card has logged into the machine.

How am I debugging the issue?  As stated above I reinstalled VS 2012 from scratch (including IIS Express) and made new applicationhost.config by opening a new web Forms project.  I then made the specified changes to the  new applicationhost.config to require client certificates and changed the project to an SSL project.  Certificates were not requested.  I then ran a web forms project that was created to print out all header information and server variables while running in SSL.  No client certificates were requested, none of the client certificate server variables were populated.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40067213
I think that they are the same posts from you about the same issue.  

I looked over the post here.  I shouldn't have assumed that the configuration process was repeated after IIS Express was reinstalled.  I see that you have, and it didn't help.

What version of IIS Express is installed?

If you have an open support case, and someone at Micro$oft doesn't support you, then I would try to find another person who will.  Good customer support means keeping in touch with the customer, even if you don't have a resolution for their problem.

Is the only indication that you have a problem, that you don't get a certificate requested?  Are there are any exceptions in the Event Log?

What type of project are you working with?  The post you linked to talked about a Windows Phone 7 project.
0
 

Author Comment

by:Edward Joell
ID: 40076177
version of IIS Express is 8.0.1557
The MS support person never even got to the point of opening the support ticket.  That was most annoying. He was having problems establishing a support ticket so it seems he just quit. As I had some other difficulties Iwas addressing at the time I have not taken time to pursue this.  Now I have some time and I intend to do something about it.  

There are no events in the event log.
 I am working on a Visual Studio 2012 MVC 4 EF 5 project.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40076574
I would relate your experience with the Support person to someone at Microsoft.  That is not the way that customer support is supposed to work.  This is one of those crucial situations that you need the product experts to tell you what the problem is.
0
 

Author Comment

by:Edward Joell
ID: 40077735
Thank you O Leanerd One ;-)  How are your standard IIS and VBox skills.  My boss has suggested installing Windows 2008 R2 server on a VM on my machine.  Then i could deploy not only the finished app there for testing but as I recall I could also place my development project out there and reference it from VS 2012 (at least that is the way it used to work in VS 2003.  I have not had occasion to do that for many years.)
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40077922
That is the only way that I do development work these days.  My laptop has horrible encryption software, which slows development down, so I have 3 different 2008 R2 VMs for different configurations, and distributed load testing.  It is a lot faster, and cleaner, since I don't need to worry about having software installed locally.
0
 

Author Comment

by:Edward Joell
ID: 40077925
O Learned One;
I nned you help.  When I go out to the MS support to get a phone number Now I get the below page

https://support.microsoft.com/gp/oassiteerror


To add "Support Site" to the trusted sites zone, follow these steps:

1.On the Tools menu in Internet Explorer, click Internet Options.
2.Click the Security tab.
3.Click the Trusted Sites icon, and then click Sites.
4.Click to clear the Require server verification check box.
5.Check whether http://support.microsoft.com is listed in your trusted sites. If it is listed, type http://oas.support.microsoft.com, and then click Add.
6.Check whether https://support.microsoft.com is listed in your trusted sites. If it is listed, type https://oas.support.microsoft.com, and then click Add.
7.Close all dialog boxes, and then refresh the browser window.


Unfortunately we are not able to add sites to our trusted sites as that capability has been disabled in IE 8 for regular users and for user with admin rights the capability to open IE 8 has been removed.

So I tried using Firefox.  This time I get


http://support.microsoft.com/error.aspx?aspxerrorpath=/oas/default.aspx

Sorry, the page you requested is not available.

The page you were looking for is currently not available. The address may not be correct, or there may be a temporary problem with this site. Please try one of the following options:

    Check the address for typing errors.
    Click the Back button and try a different option from the navigation menu.
    Try this page again later.

For additional assistance, try one of the pages below:

    Home
    Go to the Microsoft Help and Support site
    Product Support Center (FAQs and Highlights)
    Review common support questions, issues, and new information for Microsoft products.
    TechNet
    Search the online support site that provides detailed "how-to" information for IT professionals concerning Microsoft products.
    MSDN
    Search the online support site that provides detailed information for development professionals concerning Microsoft products.


Can you get me a number for MS support?  (Meanwhile I will put an entry into the TechNet forum.)
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40077963
You might be able to find what you need here:

http://msdn.microsoft.com/en-us/subscriptions/bb266240.aspx

1-800-936-4900
0
 

Author Comment

by:Edward Joell
ID: 40078075
O was able to get one whoich I am copying here for future reference  1-800-936-4900
0
 

Author Comment

by:Edward Joell
ID: 40078113
Thanks Bob.
0
 

Author Comment

by:Edward Joell
ID: 40078141

My laptop has horrible encryption software,

Same here.  


so I have 3 different 2008 R2 VMs for different configurations, and distributed load testing.  It is a lot faster, and cleaner, since I don't need to worry about having software installed locally.

But if the VMs are installed on you laptop, you still have to install the software on your laptop although it is actually existing on the VM.  
The question I have though is the connection through the interface.  I had difficulty connecting via SSL to the IIS 6.0 set up on the Windows Server 2003 installation on this VM.  I could connect regularly but the deployed application would not work correctly unless Certificate information was requested and passed in, and when I tried to connect using SSL all I got was "Internet Explorer can not dispaly web page."  Whereas without SSL I got our custom "Certificate Information not provided" error.  Is there something I am missing in the setup of the VM?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078166
The VMs are on a blade server, so I don't have that problem.  

I use Terminals to connect to the VM.

Terminals
https://terminals.codeplex.com/
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078175
What type of certificates are you using?
0
 

Author Comment

by:Edward Joell
ID: 40078182
And that is our problem, we don't have access to a real server.  We have to use VMs on our local machines to emulate deployment to a server, as well as connecting to the database on a server remote from the web server.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078188
What software are you using for Virtual Machines?
0
 

Author Comment

by:Edward Joell
ID: 40078210
The certs that are embedded in our CAC cards.  (Computer Access Cards).  ActivIdentity reads the CAC card and copies the cert to the client machine.  Then when a DoD server is hit its IIS request a certificate and thr browser displays all the locally stored certificates for the user logged in on that client machine (who logs in using the CAC card).  For most DoD servers there is displayed the meail certs and the identifying certs.  But for some they are only configured to ask for the identifying certs. (I don't know how they did that since every setup I've made requests both certs.)  As stated above, in the applicationhost.config file the settting that gets IIS Express to request these certs is the access element on that file
<access sslFlags="SslNegotiateCert" />

Open in new window

This worked fine until VS 2012 Update 4 was installed.  

I don't know how to config IIS 6.0 to request these certs.  But seemingly I cannot connect to IIS 6.0 via SSL over the VM boundary, although that is not an issue when you don't use SSL.
0
 

Author Comment

by:Edward Joell
ID: 40078234
Oracle VBox  4.2.16
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078238
Configuration IIS 6 has been quite a while for me, so this will be a trip down memory lane (albeit a fuzzy one)...

1) Configuring SSL on a Web Server or Web Site (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/56bdf977-14f8-4867-9c51-34c346d48b04.mspx?mfr=true

2) Enabling Client Certificates in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/096519f4-3079-4571-9d28-8e5d286c5ab9.mspx?mfr=true

3) Mapping a Specific Client Certificate to a User Account (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d4957ac9-889e-4292-b015-8f3ab83952c6.mspx?mfr=true
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078266
You should be able to configure the virtual machine for networking.

Chapter 6. Virtual networking
http://www.virtualbox.org/manual/ch06.html
0
 

Author Comment

by:Edward Joell
ID: 40078339


2) Enabling Client Certificates in IIS 6.0 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/096519f4-3079-4571-9d28-8e5d286c5ab9.mspx?mfr=tru

Ha! Turns out I already had it configured as a SSL and to request client certs.  (Must of read that article back in February when I was figure out a way to deploy to our remote Test servers at the Data Center.  

My VM is configured for networking.  That is how I connect to the SQL Server, and to Report Manager on that Virtual server using this URL
http://cpvfssql200364/Reports_SQL_2008R2_64/Pages/Folder.aspx

Now I am trying to connect to the "Non-Default" named Web site on that server which I created especially to hold these new SSL web apps.
However it appears I have forgotten how to connect to the named web site.   I tried http://cpvfssql200364/TestProc40/TestGDLL/default.aspx where TestProc40 is the name of the named web site,  http://cpvfssql200364:81/TestGDLL/default.aspx where 81 is the port of the named web site, and I tried http://cpvfssql200364:81/TestProc40/TestGDLL/default.aspx .
But each of those returns 404.  Just for fun and giggles I connected to ReportManager using http://cpvfssql200364/Reports_SQL_2008R2_64/Pages/Folder.aspx and that worked fine.  But of course that is sitting on the Default
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40078372
Are you trying to connect to the web sites from outside the VM, or inside, when you get a 404 error?
0
 

Author Comment

by:Edward Joell
ID: 40078385
Outside the VM
0
 

Author Comment

by:Edward Joell
ID: 40078388
BRB
 going to lunch
 (its 1:24 PM here).
0
 

Author Comment

by:Edward Joell
ID: 40078397
BTW Finally go through to to MS Support who opened a ticket.  Then someone called me back to get more detail to determine the engineer to submit this to.  So I am finally getting some movement out of MS (I swear they are as slow as the DoD).
0
 

Author Comment

by:Edward Joell
ID: 40081270
Th MS support "Engineer" spent 3 hours to only succeed in carrying out Jason Shaver's part 1, http://www.jasonrshaver.com/post/2011/09/28/WP7-Client-Certificates-Part-1-(Setting-Up-IIS-Express).aspx  which added the localhost certificate created by IIS Express to the Trusted Certificate repository.  This only succeeded in preventing the "There is a problem with this website's security certificate."  certificate page from opening. It still did nothing to get IIS Express to request client certificates.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 40081306
If the Tier 1 support engineer was not able to help you, you should have the issue escalated to a higher tier.
0
 

Author Comment

by:Edward Joell
ID: 40081658
Supposedly that is to occur but I have to wait 22 hours before that happens.
0
 

Accepted Solution

by:
Edward Joell earned 0 total points
ID: 40083699
I contacted Microsoft Support.  After going around Robin Hood's barn the issue doing things with certificates, that had no bearing on the issue, it was finally resolved, (almost by accident) by the following.



•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
•On the Edit menu, point to New, and then click DWORD Value.
•Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
•Right-click SendTrustedIssuerList, and then click Modify.
•In the Value data box, type 0 if that value is not already displayed, and then click OK

The access element's sslFlags attribute must be left set to "SslNegotiateCert"

And that fixed it.
0
 

Author Closing Comment

by:Edward Joell
ID: 40092486
This was the solution provided by Microsoft Support. As to whether it was the solution that should have been provided I don't know.  But it worked.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
The viewer will learn how to synchronize PHP projects with a remote server in NetBeans IDE 8.0 for Windows.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now